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Abstract 

While efficient algorithms are known for solving many important problems related to groups, no 
efficient algorithm is known for determining whether two arbitrary groups are isomorphic. The particular 
case of 2-nilpotent groups, a special type of central extension, is widely believed to contain the essential 
hard cases. However, looking specifically at central extensions, the natural formulation of being "the 
same" is not isomorphism but rather "equivalence," which requires an isomorphism to preserves the 
structure of the extension. In this paper, we show that equivalence of central extensions can be computed 
efficiently on a classical computer when the groups are small enough to be given by their multiplication 
tables. However, in the model of black box groups, which allows the groups to be much larger, we 
show that equivalence can be computed efficiently on a quantum computer but not a classical one (under 
common complexity assumptions). Our quantum algorithm demonstrates a new application of the hidden 
subgroup problem for general abelian groups. 

1 Introduction 

Finding an efficient algorithm for group isomorphism is one of the most notable open problems in compu- 
tational group theory. While the problem is easily solved for abelian groups, the problem remains unsolved 
even for some very simple generalizations to non-abelian groups. In particular, the 2-nilpotent groups, which 
are central extensions of an abelian group by another abelian group, are widely believed to contain the 
essential hard cases (see e.g. [3])- Hence, the computational issues surrounding this type of group extension 
merit further study. 

While isomorphism is the natural notion of what it means to be the same group, the natural notion of 
being the same extension is slightly different. Indeed, the theory of group extension^, whose study began 
near the start of the 20th century, defines two extensions to be the same or "equivalent" if there exists an 
isomorphism that preserves the structure of the extension. (We will define this precisely in the next section.) 

Thus, it is interesting to consider whether there exists an efficient algorithm for testing equivalence of 
those extensions for which isomorphism appears difficult. In this paper, we will see that there is indeed an 
efficient algorithm. 

Group isomorphism has drawn particular interest from the quantum computing community due to its 
placement in the hierarchy of complexity classes. In particular, due to the work of [I], we know that the 
isomorphism problem for solvable groups is almost in the class NP n coNP. This is the class that includes 
factoring and other problems for which quantum computers appear to give super-polynomial speedups. 



1 See the chapter in [10] for a nice introduction to the theory of group extensions. 
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Hence, there is strong interest in determining whether the same is true of solvable group isomorphism. To 
date, however, no such quantum speedup is known even for the smaller class of 2-nilpotent groups. 

Given the relationship between the conjectured hard cases of group isomorphism (2-nilpotent groups) and 
the problem of extension equivalence, it is natural to wonder whether the latter problem also could lead to 
a super-polynomial speedup of quantum algorithms over classical ones. As noted above, there is an efficient 
classical algorithm for testing equivalence. However, its efficiency depends on the fact that the given groups 
are small, in particular, small enough to write down their complete multiplication tables. 

The usual setting for the group isomorphism problem has the input groups given by their multiplication 
tables. If one cannot solve the problem in this model, then other models are out of the question. However, 
it would be both interesting and useful to be able to test equivalence of larger groups, for which this model 
is inappropriate. In particular, for groups of matrices over finite fields (which includes, for example, simple 
groups of Lie type) , individual matrices are small enough to multiply and invert efficiently, but writing out 
a multiplication table between all matrices in the group would often be infeasible. Yet, computational group 
theorists would still like to answer questions about such groups. 

Matrix groups are often studied in the "black box group" model. (Indeed, this was the original motivation 
for the model.) Hence, it is natural for us to consider whether there exists an efficient algorithms for testing 
equivalence of group extensions in this model. 

One case we will consider is extending a group given by a multiplication table by a black box group. 
In practical terms, this means extensions of a small group by a large one. Such extensions can already 
introduce substantial complexity. For example, the dihedral group D^n is an extension of the tiny group 
Z2 by a potentially large cyclic group Z^r. Considering that the hidden subgroup problem can be solved in 
quantum polynomial time for Zjv but not (currently) for D2N, we can see that extensions of even constant- 
sized groups can introduce substantial computational difficulty. 

In this paper, we show that there is an efficient quantum algorithm for testing equivalence of extensions 
of a small group by large abelian group or extensions of one large abelian group by another large abelian 
group. Furthermore, we will show that the existence of an efficient classical algorithm for either of these 
cases would break an existing cryptosystemjfl Hence, under the hardness assumption of that cryptosystem, 
no efficient classical algorithm exists. 

The quantum algorithm we present depends crucially on the ability to solve the hidden subgroup problem 
(HSP) for arbitrary abelian groups. (This is the essential quantum subroutine in our algorithm.) Interest- 
ingly, while some other problems in computational group theory that can be solved efficiently on a quantum 
computer can also be solved classically assuming the existence of oracles for factoring and/or discrete loga- 
rithm, our construction does not easily translate to that setting because there is no apparent way to solve 
abelian HSP classically, even with the help of such oracles. Hence, our work demonstrates a new and 
interesting application of efficient quantum algorithms for abelian HSP. 

Related Work While we are aware of no prior work on the complexity of determining extension 
equivalence in these models, our motivation for this problem comes from the status of the group isomorphism 
problem for simple group extensions, and there, it is known that isomorphism can be determined efficiently 
on a quantum computer in certain special cases [7] . Interestingly, the groups to which this result applies have 
trivial equivalence classed, so the extension equivalence problem is trivial for such groups. (The answer is 
always "yes" .) The fact that the one class of nonabelian solvable groups for which we have made progress on 
group isomorphism is one for which equivalence is trivial suggests that studying the extension equivalence 
problem may teach us something about the hard cases of group isomorphism. 

2 Note that this cryptosystem depends on the hardness of factoring, so it is already known that quantum computers could 
break it. What was not known is the relationship of this to testing equivalence of extensions. 

3 This follows from the fact that the second cohomology groups (defined below) are trivial for semi-direct products. 
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2 Background 



2.1 Computational Group Theory 

The study of algorithms and complexity for problems in group theory is called computational group theory. In 
order to discuss these issues, we must first specify how the group will be given as input. Multiple approaches 
have been defined (see [TT] for a nice review). We will need to use three of these in our later discussion. 

The first approach is to describe a group G by its multiplication table (sometimes called the "Cayley 
table"). Multiplication of group elements can be performed by table lookup, inverses can be computed by 
scanning one row of the table, and so on. This is perhaps the most natural model. However, in order to use 
this approach, the group must be small enough that it is reasonable to write down a |G| x \G\ table. This 
turns out to be too limiting for many computations that practitioners want to perform. 

Another approach is the "black box group" model of Babai and Szemeredi" [5|. In this model, group 
elements are identified by opaque strings (which need not be unique) and an oracle is provided that can 
perform the following group operations: 

1. Given g,h <= G, compute gh. 

2. Given g 6 G, compute <? _1 . 

3. Given g G G, determine whether g — e, the group identity 0. 

Finally, we have to specify how the algorithm obtains the strings for some group elements in the first place. 
It is usual to assume that the input to algorithm will be a list of generators of the group (i.e., a list of strings 
identifying the generators). 

While the black box model is restricted in terms of how it can work with the group, it is even more 
restricted in terms of what is considered efficient. Since a multiplication table has size 0(|G| 2 )E| any running 
time of poly(|G|) is efficient in the first model. On the other hand, a non-redundant@ list of generators only 
has length O(log|G|)0 so the input has size 0(log 2 |G|). Hence, an algorithm is efficient in the second model 
only if it has running time poly(log |G|), which is exponentially faster. 

It should not be surprising then to find a large difference between which problems can be solved in the 
two models. In the first model, almost every natural group problem can be solved efficiently the notable 
exception being the group isomorphism problem. In the second model, on the other hand, very few problems 
can be solved, at least classically. The main example of a problem that can be solved in this model is 
computing a derived series for a solvable group (that is, generators for each group in the series) or a central 
series for a nilpotent group. 

Interestingly, it is known that quantum algorithms can do more in the black box model. In particular, for 
abelian or even solvable groups |13) . a large number of problems can be solved, the most important example 
being computing the size of the group, |G|. We will show later on that the extension equivalence problem is 
another example. 

The other approaches for specifying groups use representations of particular types. The most common 
of these, the third model we will need below, is to use a permutation representation. Specifically, we assume 
that the group is explicitly a subgroup of the symmetric group, G < S n . The input is a set of generators of 
G, each of which is a permutation of the set [n] = {1, . . . , n}. 

4 This also allows us to determine whether g = h since this is equivalent to checking gh~^ = e. 

5 As is usual, 0(.) is the same as 0(.) but with suppressed terms that are logarithmically smaller than those included. 
6 This simply means that no proper subset of the generators still generates the group. 

7 This follows from the fact that each additional generator increase the size of the generated group by a factor equal to the 
index of the old group in the new one, and this index (an integer), since it is not 1, must be at least 2. 
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As in the black box model, G can be specified by at most 0(log \G\) generators. Each generator in the 
input has size O(nlogn), so the input as a whole will have size 0(nlognlog \G\). For an algorithm to be 
efficient then, its running time must be polynomial both in n and log \G\. Furthermore, for this model to be 
useful, the size n of the set, called the "degree" of the representation, must be small. The fact that many 
groups have small-degree representations is one factor leading to the great success of this third approach. 
The other factor leading to its success is that many problems can be solved efficiently in this model. In fact, 
nearly all of the problems that are solvable with multiplication tables are efficiently solvable here as well. 
(See [TT] for a long list of these problems.) 

2.2 Group Extensions 

A group E is said to be an extension of G by A if A < E and E / A = G. This is called a central extension if 
A < Z(E). In particular, this means that A is abelian. 

Central extensions are in some ways similar to semidirect products in that the elements can be thought 
of as pairs (a, a;) eixG with a strange multiplication. Whereas multiplication in a semidirect product 
depends on a group homomorphism G — > Aut A, multiplication in a central extension depends on a function 
/ : G x G — > A, where we have (a, x)(b 7 y) = (abf(x, y),xy). The function / is called a "factor set." We will 
describe some of its properties below. In particular, we will show how to find / for a given extension E. 

Central extensions are in some sense the other natural way to combine groups, aside from semidirect 
products. In particular, any group extension of G by A, where A is abelian but not necessarily central, is 
essentially a combination of a semidirect product and a central extension^ Hence, these two types represent 
the two extremes of extensions of abelian groups. 

Finally, we can define the problem we are trying to solve. Two extensions, E\ and E2, of G by A are 
said to be equivalent if there exists an isomorphism 7 : E\ — > Ei such that 7 is the identity on A, j\a = id, 
and gives rise to the identity on G, that is, TT2 ° 7 = tti, where iri : Ei — >• G is the canonical projection. This 
is the natural sense in which two extensions should be considered "the same" . 

On the other hand, it is possible for E\ and E2 to be isomorphic even if they are not equivalent extensions. 
(Indeed, this is not even a simple matter of dealing with isomorphisms of A and G: it is apparently possible 
for extensions of non-isomorphic groups to be isomorphic.) For this reason, equivalence is a more natural 
question to consider when looking specifically at group extensions: an equivalence is an isomorphism that 
respects the structure of the group extension. 

2.3 Low Degree Group Cohomology 

Cohomology groups are often defined in an abstract manner (via Ext functors, projective resolutions, etc.). 
However, in the case of group cohomology.the low degree cohomology groups also have concrete definitions 
that are equivalent but more useful for usO (See [TU] for a more detailed discussion.) 

In this section, we will consider cohomology only of central extensions. Cohomology can be defined more 
generally, but this simpler case is all that we will need in later sections. 

The key group for us is the second cohomology group, H 2 (G, A). In order to define this, however, we 
first need to define cocycles and coboundaries. 

The 1-cocycles, Z 1 (G,A), are functions / : G —> A that satisfy the identity f(x) + f(y) — f(xy) = 0, for 
all x,y S G. These are simply group homomorphisms. (Note that we are using additive notation since A is 
abelian.) The 2-cocycles, Z 2 (G,A), are functions / : G x G —5- A that satisfy the (admittedly odd-looking) 

8 Any extension is identified, up to isomorphism, by a homomorphism from G to Aut A (the semi-direct product part) and 
a factor set (the central extension part). See 1101 for details. 

9 Historically, these were developed in the opposite order. The concrete definitions came first and the abstract later. 
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1-cochains 


C L {G,A) = {s:G^A\s{e)=e} 


2-cochains 


C 2 {G, A) = {f : G x G -> A \ f normalized} 


cocycles 


Z' 2 (G, A) = {/ : G x G -> A | / normalized, cocycle condition} C G 2 (G, A) 


d:C L ^C 2 


homomorphism taking s G C 1 (G,A) to 9s G Z 2 (G,A) 


coboundaries 


B»(G,A) =Imdc Z 2 (G,A) 



Figure 1: The main objects in group cohomology. 



identity fjv, z) - f(xy, z) + f(x, yz) - f(x, y) = 0, for all x,y,z G G, and have f(x, e) = f(y, e) = e, for all 
x,y G GEj These are precisely the factor sets mentioned earlier. 

The 2-coboundaries, B 2 (G,A), are functions G x G 4 i that arise by taking a function s : G A 
only satisfying s(e) = e (called a 1-cochain) by defining ds G B 2 (G,A) by ds(x,y) = s(x) + s(y) — s(xy). 
Note that, since s is not necessarily a homomorphism, we need not have ds ^ 0. It is not hard to show 
that any function defined in such manner is also a 2-cocycle. In other words, we have B 2 (G, A) < Z 2 (G, A). 
Furthermore, the function d is in fact a (surjective) homomorphism C 1 (G,A) — > B 2 (G,A), where C 1 (G,A) 
denotes the space of all cochains. 

These definitions are summarized in Figure [T] 

The sets Z 2 (G,A) and B 2 (G,A) are themselves groups with the group operation performed pointwise 
(i.e., (/ + g)(x, y) = f(x, y) + g(x, y)). In fact, they are abelian groups since A is abelian. Hence, B 2 (G, A) 
is a normal subgroup of Z 2 (G,A), so we can consider the quotient group H 2 (G,A) = Z 2 (G,A)/B 2 (G,A). 
This is the second cohomology group. 

The most important fact for us is the relationship between H 2 (G,A) and group extensions. 

Lemma 2.1. Elements of H 2 {G,A) are in 1-to-l correspondence with equivalence classes of central exten- 
sions of G by A. 

Proof Sketch. While we need not go through this proof in detail (see [10] for full details), we do need 
describe how the correspondence works since our aim is to work in the group H 2 (G, A), using the elements 
corresponding to the two given extensions. 

For an extension E of G by A, choose a representative of each coset of A in E (i.e., each element of 
G = E/A), where we require e to represent A itself. Encode these choices into a function s : G — >• E. Then 
we can define a function / : G x G — > A by f(x, y) = s(x)s(y)s(xy)~ 1 . It is not hard to show that f(x, y) G A 
and that / is a factor set, i.e., / G Z 2 (G, A). 

This construction depends on the choice of representatives. Choosing a different set of representatives, 
we could get a different factor set g : G x G — > A. However, if we do this, it will turn out / — g is a 
2-coboundary. Furthermore, the only other factor sets differing from / by a coboundary arise from other 
choices of representatives for the same extension. Hence, f + B 2 (G, A) uniquely represents this extension. □ 

3 Results 

3.1 General Approach 

With this background, the basic idea for computing equivalence of central extensions is simple. Given E\ 
and Ei, two central extensions of G by A, we can compute the factor sets /i,/2 G Z 2 (G,A) for these two 
extensions using any set of representatives. As described in Lemma [2.1[ the factor sets correspond to the 

10 Sometimes cocycles are defined only by the first condition. Then those that satisfy the second are called "normalized". We 
will assume throughout this paper that all cocycles, coboundaries, and cochains are properly normalized. 
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same extension iff /i — fa G B 2 (G,A). Thus, the generai approach is to reduce extension equivaience to 
testing membership in B 2 (G 1 A). 

To make this concrete, we must specify what approach we use for representing groups. Beiow, we present 
two aigorithms, one ciassicai and one quantum, for impiementing the outline just described. These algorithms 
differ in the approach used to specify the input groups, with the quantum algorithm using the more general 
approach of black box groups for A and E. Specifically, we have the following results. 

Theorem 3.1. There exists a (classical) Monte Carlo algorithm for testing the equivalence of E\ and E2, 
two extensions of G by A, when all groups specified by multiplication tables, running in time 0(\G\ b \Af). 

Theorem 3.2. There exists a quantum algorithm for testing the equivalence of E\ and E2, two extensions 
of G by A, where A, Ex, and E2 are given as black box groups and G is given by a multiplication table, 
running in time 0(|G| 6 log 6 \A\). 

Theorem 3.3. There exists a quantum algorithm for testing the equivalence of E\ and E2, two exten- 
sions of G by A, where G is abelian and all groups are presented as black box groups running in time 
poly log I G\ poly \og\A\. 

For simplicity, we first prove these three theorems in subsections I3.2H3.4I assuming that E\ and E2 are 
central extensions. We discuss how to extend these two algorithms to non-central extensions in subsection !3.5l 

In subsection !3.6[ we show that the problem solved by the quantum algorithms are classically hard under 
the assumption of the Goldwasser-Micali cryptosystem j8] (that quadratic residuosity is classically hard) . 

Theorem 3.4. There exists a randomized polynomial time reduction from quadratic residuosity to testing 
equivalence of central extensions of G by A, where A is given as a black box group and either G is given as a 
multiplication table or G is abelian and given as a black box group. Hence, under the assumption that there 
is no efficient (classical) Monte Carlo algorithm for testing quadratic residuosity, there is no efficient Monte 
Carlo algorithm for testing equivalence of extensions of G by A in this model. 

Finally, in subsection 13.71 we use the machinery developed for these algorithms to show that we can also 
efficiently count the number of inequivalent extensions in the two models. Specifically, we have the following: 

Theorem 3.5. There exists an efficient (classical) Monte Carlo algorithm for counting the number of equiv- 
alence classes of extensions of G by A when both groups are given by multiplication tables. 

Theorem 3.6. There exists an efficient quantum algorithm for counting the number of equivalence classes 
of extensions of G by A when A is given as a black box group and G is given by a multiplication table. 

3.2 Classical Algorithm 

For the classical algorithm, we take the inputs A, G, and E\ and E 2 as multiplication tables. This is the 
usual setup for the group isomorphism problem, and it is natural to consider extension equivalence in the 
same manner. However, we must also require that the isomorphism Ei/A = G be provided explicitly so that 
we are not required to solve a group isomorphism problem in order to understand the relationship between 
Ei and G. This will be specified as a table of pairs (x,g), where each x G Ei appears exactly once along 
with the g G G such that x + A — y g. 

Proof of Theorem \3.1\ As described above, we will reduce to membership testing in B 2 (G,A). Since the 
group B 2 (G,A) has size ~ |A|' G ', we cannot reduce to a membership test using a multiplication table 
because the time to write such a table is exponentially large in the input size. We also cannot reduce to a 
membership test using a black box model simply because there is no efficient classical algorithm known for 
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membership testing in this model. Fortunately, we will see that we can reduce to a membership test using 
the third approach, a permutation representation. We can then perform the membership testing efficiently 
using the algorithm from [4]. 

First, note that we can represent A using the regular representation, that is, each a £ A is represented 
as a permutation a (a) of the set A itself. The degree of this representation is \A\, which is small. And it is 
easy to see that this representation of A is faithful. (This is Cayley's theorem.) 

Define C 2 (G,A) to be all maps G x G — >• A. These are simply vectors of \G\ elements of A. (Since 
B 2 (G 1 A) < Z 2 (G,A) < G 2 (G, A), we can think of elements of B 2 (G, A) and Z 2 (G, A) in the same way.) 
Put another way, C 2 (G,A) is a direct sum of \G\ 2 copies of A. Hence, we can represent / £ C 2 (G,A) as 
the direct sum (as vector spaces) of <r(f(g, h)) for each g,h £ G. It is again clear that this representation is 
faithful: a(f) is the identity iff <r(f(g, h)) is identity for each g, h £ G iff f(g, h) = e for each g,h £ G (since 
our representation of A is faithful) iff / is the identity in G 2 (G, A) (by definition). 

In other words, our representation space is the set {a g> h \ a £ A, g,h £ G} — elements of A labelled by 
pairs (g, h) £ G x G. We can see that the degree of this representation is n = \A\ \G\ 2 . 

It is possible that A may have a permutation representation with smaller degree in special cases, but in 
the worst case, it must be \A\. In particular, any simple cyclic group requires this degree. It is also easy to 
see that any faithful representation of C 2 (G,A) must contain all |G| 2 copies of this representation. Hence, 
our degree of \A\ \G\ cannot in general be improved. 

In order to invoke a membership test for B 2 (G, A), we also need to provide a generating set. The easiest 
way to do this is to take a generating set for C 1 (G,A) and then push it forward to B 2 {G,A) by applying 
d. Any / £ B 2 (G,A) satisfies / = ds for some s £ C 1 (G,A). So if s\,...,Sk is a generating set for 
C 1 (G, A) , then we have s — s^ 1 . . . sj? for some {ji } C Z + . And since d is a homomorphism, we have 
/ = disl 1 ...s{ k ) = 9(si) jl . . . d(sk) jk ■ Thus, ds x , . . . , ds k is a generating set for B 2 (G, A)0 

It is easy to find a minimal generating set for G 1 (G, A). Since this group is simply a direct sum of |G| 
copies of A, a minimal generating set for C 1 (G,A) is given by |G| copies of a minimal generating set for 
A. We can find a generating set for A with high probability simply by choosing 0(log \A\) random elements 
[TT] . And it is easy to see that we can choose random elements from A since we have an explicit list of its 
elements. Hence, we can construct a generating set for C 1 (G,A) of size 0(|G| log \A\). 

Finally, note that, since we have a simple formula for d, taking constant time to evaluate for each 
(g, h) £ G x G, we can construct the generating set for B 2 (G, A) in 0(|G| 2 ) time for each element in the set. 
Since this set contains 0(|G| log \A\) elements, we can construct the generating set in 0(|G| log \A\) time. 

The other input to the membership test is the element f\ — fi £ Z 2 (G,A). We can compute this easily 
in linear time once we construct a factor set fi for each extension. To do this, we simply need to choose 
(arbitrarily) a representative Si(g) £ Ei for each g £ G, which we can do in one pass over the table providing 
the isomorphism Ei/A = G. (Also note that we must choose e £ E to represent e £ G.) This takes 
= 0(|A| |G|) time. Next, we compute fi for each g, h £ G by fi(g, y) = s{g) + s(h) — s(gh). Finally, 
we subtract them pointwise to compute f\ — fi- All of the above be done in 0(|A| |G| + |G| ) time. 

It remains to invoke a membership test for a permutation group. The fastest algorithms apply to 
so-called "small-base groups" , but unfortunately, this representation is not onelll For the general case, the 
fastest known algorithm is from [1] and runs in time 0(n 3 ). 

All of the membership test algorithms for permutation groups work by first computing what is called 
a strong generating set. As noted in [4], Gaussian elimination is a special case of this construction, so the 
running time of 0(n 3 ) is in fact optimal for all algorithms that work in this manner. 

11 Since d is not an isomorphism, this generating set may be redundant. However, since its kernel is very small compared to 
|C 1 (G, this increases the size of the generating set by a 1 — o(l) factor. 

12 The group B 2 (G, A) would be small-base if log \B 2 (G, A) \ = O(polylogn) = 0(poly(log |G| +log \A\)), but we can see that 
B 2 (G, A) is much bigger than this. 
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We note that the time to run this membership test dominates the time required to prepare its inputs, so 
the overall running time will be 0(n 3 ) — 0(\A\ 3 \G\ 6 ). □ 

3.3 Quantum Algorithm for Small G 

For classical algorithms, we excluded the possibility of using a membership test for black box groups because 
no efficient algorithm is known to exist. However, in the quantum case, we have such an algorithm [BJ. As 
a result, it is natural to consider whether extension equivalence can also be solved in the black box model. 

Our quantum algorithm will take the inputs A and E as black box groups. That is, we are given a 
generating set for each and an oracle for performing the three operations listed earlier in the group Er^ 

For the group G, on the other hand, we first consider the case when G is given by a multiplication 
table. In this case, we can efficiently work with the group B 2 (G,A) since it has a generating set of size 
0(|G| 2 log \A\) and we only need a running time polynomial in \G\ in this model. Practically speaking, this 
means that we will be able to compute equivalence of extensions of a small group G by a large group A using 
this algorithm. Such extensions can still be quite complicated groups. 

Finally, the isomorphism Ei/A = G will be provided as an oracle since we cannot reasonably take a table 
with \E\ rows as input. Given an element x £ Ei, the oracle return the g £ G corresponds to x + A £ Ei/A. 

Proof of Theorem \3.'A As in the classical algorithm, we will apply the correspondence in Lemma 12.11 and 
reduce to a membership test in B 2 (G. A). 

In order to use a membership test for B 2 (G, A) , we must show how to construct an oracle for this group 
or a larger group containing it. We will work with G 2 (G, A). Since each element of C 2 (G, A) is a vector (or 
direct sum) of \G\ elements of A, we can identify elements of this group by strings containing \G\ strings 
for elements of A. We can perform multiplication and inverses pointwise, each using \G\ calls to the oracle 
for A. Similarly, the identity in G 2 (G, A) is simply |G| 2 copies of the identity in A, so we can also check for 
the identity with |G| 2 calls to the oracle for A. 

One input to the membership test is a generating set for B 2 (G, A). We saw in the previous section that 
this can be constructed simply by making |G| 2 labelled copies of a generating set for A. In this case, we are 
given a generating set for A as input, and we can turn this into |G| 2 labelled copies in 0(|G| 2 log \A\) timeF^I 

The other input to the membership test is the element f\ — fi- As before, in order to compute these 
factor sets, we need to be able to choose a representative of each coset of A in E. However, note that our 
classical algorithm ran in 0(|£7|) time, which is no longer efficient in this model. So we will need a slightly 
different approach. 

Instead of enumerating E, we will select random elements from E and invoke the oracle we are given to 
find the projection in G. If x £ E projects onto g £ G, then this gives us our representative s(g) = x for 
g. We continue to select random elements until we have a representative for each g £ G (aside from e £ G, 
which we set to s(e) = e). 

Now, since we are only given a generating set for E, it is not possible to select uniformly random elements. 
However, we can compute nearly uniformly random elements as described in [2] in time linear in the size 
of the generating set for E (plus an 0(log 5 \A\) additive term). The generated elements are nearly uniform 
in the sense that the probability of generating x £ E is off by a 1 — o(l) factor, which we can choose to be 
arbitrarily small. 

With this, the probability of producing any particular g £ G will be (1 ± e)/ |G|. Hence, by standard 
calculations, we will produce a representative for each g £ G with high probability after 0(|G|log|G|) 
random choices. The overall time to compute these representatives if G(|G| log \ A\ + log 5 \A\). 

13 This also works for A since A < E. 

14 This is assuming that we are given a generating set for A of size 0(log \A\). We can easily reduce to a generating set of 
this size, if this is not what we are given, by using random subproducts as described in 1 11 1 . 
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With choices of representatives Sj for each Ei, we can compute the factor sets fi and their difference 
fi — /2 in the same manner as in the classical algorithm. This takes time 0(\G\ 2 ). 

To perform the membership test, we apply the algorithm from [6], which can be used to compute the 
size of a subgroup. We call this once with the generating set for B 2 (G, A) and once with this generating set 
plus /i — fi. If the latter subgroup is larger, then f\ — fi ^ B 2 (G, A), and the extensions are not equivalent. 
Otherwise, they are equivalent. 

As described in [9] , the running time of the algorithm for computing group size depends on the size of 
the generating set, fc, and the maximum order of any element in the group, q. As mentioned above, we have 
k = 0(|G| 2 log |A|) for the first. For the second, the best bound we have in general is q = \A\. 

The algorithm first performs O(klogq) group operations. Each of these translates into |G| calls to the 
oracle for A. Thus, all together, it will perform 0(|G| 4 log 2 |A|) calls to the oracle for A. The algorithm also 
performs 0(k 3 log 2 q) — 0(\G\ log 5 \A\) other elementary operations as part of its post-processing, which 
dominates the running time. 

There are a few other details about the running time of this algorithm that need to be considered. 
However, to keep this presentation simpler, we discuss those in the appendix, in section [A] Here, it suffices 
here to say that the other necessary processing adds at most a log |^4| factor to the running time, giving us 
a running time of 0(|G| 6 log 6 \A\). □ 

As in the classical case, it turns out that the quantum algorithm needs to perform something like Gaussian 
elimination on a matrix! 15 ! This occurs within the post-processing steps of the algorithm for computing the 
size of the subgroup. The matrix in question has rows and columns indexed by generators, and since we 
have 0(|G| 2 log \A\) generators, we get an 0(|G| 6 ) factor in the running time of the algorithm. 

The dependence on \A\, on the other hand, is exponentially improved compared to the classical algorithm. 
Hence, if the group G is fairly small (i.e., |G| = 0(log \A\)) then the quantum algorithm is exponentially faster 
overall. As we will see in the next section, extensions of small groups (even constant sized) are complicated 
and interesting objects. 

3.4 Quantum Algorithm for Large, Abelian G 

As mentioned in previous subsection, when G is a black box group, we have little hope of working with 
the group B 2 (G,A) since we cannot efficiently write down a generating set. Worse, we cannot even write 
down an / G Z 2 {G,A) corresponding to our extension because this requires |G| numbers in the general 
case. Hence, it is clear that we will need to put some restrictions on the form of / if we are to work with it 
efficiently. Below, we will see that this can be done without loss of generality in the case where G is abelian. 

By the structure theorem for abelian groups, we know that G = x • • • x Z<j m for some integers 
d\ | da | • • • \ d m , which means m — 0(\og |G|). We can use the algorithm of [6] to efficiently decompose G 
into a product of this form on a quantum computer, so we can assume that we have G in this form. 

As usual, we will have f = ds for some s : G — > E. In particular, for {xi G %di}i£[ m }-i we will choose 
s(xi, . . . , x m ) — s^ 1 . . . s^™ for some {si £ E} such that Si is a representative of = (0, . . . , 0, 1, 0, . . . , 0) G G 
(where the 1 is in the i-th place). We can check that this s is a valid set of representatives for G. Since 
7r : E — > G is a homomorphism, we can see that ir(s(xi, . . . , x m )) — (Trsi)^ 1 . . . (TTS m ) Xm — e^ 1 . . . e^j™ = 
(a;i,0, . . . ,0) . . . (0, . . . ,0,x m ) = (xi,...,x m ). 

Most importantly, it is clear that we can write down the numbers s\, . . . , s m efficiently in terms of our 
generators for A, so this gives us an efficient way to represent s and / = ds. 

Let us define J-(G, E) to be the set of functions G — )• E of the above form, i.e, s G J-(G, E) iff 
s(xi, . . . , x m ) = s^ 1 ■ ■ ■ s^™ for some si, . . . , s m G E. Note that we have s(0, . . . , 0) = 0, so these func- 

15 Specifically, computing the Smith normal form of a matrix. See [6] for details. 
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tions are normalized. Since s(x\, . . . ,x m ) is always a representative of (xx, . . . ,x m ) E G, as we saw in the 
proof of Lemma [2.1[ we then always have ds 6 Z 2 (G,A), that is, d!F(G,E) C Z 2 (G,A). Likewise, if we 
consider the functions J-(G, A) (with codomain A rather than E), we see that these are a subset of C 1 (G, A) 
— every s G J~(G, A) is a 1-cochain, but not every 1-cochain is in this concise form (defined in terms of some 
si,..., s m ) — so we define B%(G, A) = dJ 7 (G, A) C dC 1 {G, A) = B 2 (G, A). (It may be helpful to refer back 
to Figure [T] for the definitions of C 2 , B 2 , Z 2 , etc.) 

The following lemma shows that it will be sufficient to work with Bjr(G, A). 

Lemma 3.7. Suppose that f E 8J r (G, Ex) and g E dT(G, E 2 ), then f-gE B 2 (G, A) iff f - g E B 2 F {G, A). 

Proof. Since Bjr(G, A) C B 2 (G,A), the reverse direction is immediate. 

For the forward direction, suppose that / — g E B 2 (G, A). We know that / = ds for some s E F(G, Ex). 
Since g differs from / by a coboundary, Ex and E 2 are equivalent extensions. This means, in particular, that 
there exists an isomorphism r : E 2 — >• Ex respecting A and G. Now, let u E F{G,E 2 ) be such that g = du. 
Then we can see that 

T (g(x, V)) = r(du(x, y)) = T(u(x)u(y)u(x + = Tu(x)Tu(y)(Tu(x + y))^ 1 . 

Since g[x,y) E A and r restricts to identity on A, we see that g{x,y) = rg(x,y) = (dru)(x,y). Thus, 
g can be realized as dt for some t : G — > Ex, namely, t = tu. Futhermore, since u is of the form 
u(xx, ■ ■ • , x m ) = u* 1 . . . u^J", we see that t(xx, ■ • • , x m ) = ru(xx, ■ ■ ■ , x m ) = (tux) Xi ■ ■ ■ {Tu m ) Xm , which shows 
that t E J~(G, Ex) with t\ = TUi the representative of ej for each i E [m]. 

The above shows that we can restrict our attention to considering / — g = ds — dt, where s, t E T(G, Ex). 
In this case, we can compute 

f(x) - g(y) = s(x)s{y)s(x + y)' 1 (t{x)t(y)t(x + y)' 1 )- 1 = s{x)s{y)s(x + y)~H{x + y^yhix)" 1 . 

Now, note that s(x + y)^ 1 t(x + y) E A since 

7r(s(a; + y)~ 1 t(x + y)) = (ns(x + y))^ 1 nt(x + y) = —{x + y) + (x + y) = 

in G. Since A is central in E, we can move s(x + y)~ x t(x + y) to the end. This leaves s(y)t(y)^ 1 adja- 
cent. Since this is in A for the same reason, we can rearrange this as well. Thus, we have f{x) — g(y) = 
s(x)t(x)~ 1 s(y)t(y)~ 1 s(x + y)^ 1 t(x + y). This is close, but not identical, to 

d{st- v )(x, y) = 8(x)t(x)- 1 8(y)t(y)- 1 (s(x + y)t(x + y)" 1 ) -1 , 

the only difference being the order of the last two factors. 

We can show, however, that these two terms commute. In particular, let x = (xx, • • ■ , x m ). Then we have 
s(xx, • • ■ , x m ) = s Xl . . . sf™ and t(xx, ■ ■ • , x m ) = t Xl ... t^ so that s(x)t(x)~ 1 = s Xl . . . s^"t~ am . . . t^ Xl . 
Since s m and t m are both representatives of e m E G, we know that s^t^" 1 E A, which means we can move 
this term to the end. Repeating this as above, we have s(x)t(x)^ 1 = s Xl t~[ Xl . . .s x ^t^ Cm . Now, since s m 
and t m are both representatives of e m , they must differ by a factor of some a m E A, so we have t m = s m a m , 
which means that s x ^ l t^ n Xm — s x i a s^ l Xm a^ n Xm , and more generally, s(x)t(x)~ 1 — a^ Xl . . ■a^ l Xm . Now, if we 
compute the product in the other order, we have t(x)~ 1 s(x) = t~ Xm . . . t^ Xl s Xl . . . s x ™ = t^ Xl s Xl . . . t^ n Xm s^ n 
by the same rearranging as before, and since t^ Xl s Xl = s^ Xl a^ Xl s Xl — a^ Xl (using the fact that A is central 
in Ex), we can see that t(x)~ 1 s(x) = a~^f m . . . a\ Xl . This is equal to what we computed for s(x)t(x)~ x since 
A is abelian, so we have shown that f(x) — g(y) = d(st^ 1 )(x,y). 

If we let v : G —t Ex be defined by v{x) = s(x)t(x)~ 1 , then we have shown above that / — g = dv. In 
particular, we showed v(xx, ■ ■ ■ , x m ) — a^ Xl . . . a" 21 " 1 , which means that v E J~{G, A) with = af 1 . Thus, 
we have seen that f-g 6 dF(G,A) =B%{G,A). □ 
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The following two lemmas tell us more about what elements in these groups look like. 

Lemma 3.8. If h G Bjr(G,A), then there exist a\, ... ,a m G A such that h(x,y) = Y\"Li a i^ where S { = 1 
if X i + Vi > di an d otherwise and en — for some a^. 

Proof. If h is as above, we know that h = dv for some v G C^(G, A), where v is of the form v{x\, . . . , x m ) = 
a* 1 . . . a^ m for some {a^ G A}. Since A is abelian, we can see that 



h(x,y) = v(xi,. . .,x m )v(yi, . . . ,y m )v(xi +yi,...,x m + y m ) 1 = JJaf* a f a 



(xi+Vi) mod di 

"i u i u i 
i=l 



because Xi + yi in G is computed mod di. If Xi + yi < di, then the mod has no effect, and we see that 
h(x,y) = e. On the other hand, if Xi + yi > di, then — {xi + yi) mod di = —Xi — yi + di. This means 
that a x i i a v i i a i ( x *+y^ mod d * _ so we can see ^at h(x,y) — Y\"Li a i iS \ where each Si is defined as in the 
statement of the lemma. We get the form in the statement by defining en = af i . □ 

Lemma 3.9. If f G Zjr(G,A), so that f = ds for some s G J-(G,E), then there exist {oti G A}i<i< m and 
{fiij G A}i<i <: j< m such that f{x,y) = Y[i< t < m a t Tli<i<j< m Pi!?' ' where <*» is defined as in the previous 
lemma, cti — s di , and bij — [s^sj 1 ]. 

Proof. By definition, we have 

f(x, y) = s(x)s(y)s(x + y)' 1 = • • • s^sf ■ ■ • s ^ m ° d d ™ ■ ■ ■ mod * _ 

As in the previous lemma, we can rewrite this as 

f(-r ti\ — q X1 ■ ■ . e^c!" . . . «V™ Q -x m -y m +d m S m -x 1 -y 1 +d 1 6 1 

We can begin by using the fact that s di G A for each i. This follows because n{s di ) — ir(s(ei) di ) = 
(0, . . . , di, . . . , 0) = since the i-th part of G is , meaning addition is modulo di. 

Thus, we can define cti = s di . Since A is abelian, we can pull all of these factors to the front. This puts 
/ in the form 



f(x,y)= [j^U'-C af ■■■a 



In the middle of the latter product, we have ^rn-\ sV m s m m Vms m-\ 1 Vm 1 . We can cancel s^™ and 
s^ m , leaving us with s^Si s^ Xm s^™^ 1 Vm ^ 1 . In order to cancel the we first have to move it past 

the s~ Xm . We can do this by introducing a commutator that compensates for the order change. This allows 
the s v 7 ^_ 1 factor to cancel, leaving us with [s^l^ 1 , s^]s~^ _1 . 

More generally, we can consider [s(w),s(u)] for any u,v G G. We can see that 

tt[s(u), s(v)] = 7r(s(u)s(w)s(M) _1 s(w) _1 ) = ns(u)TTs(v)TTs(u)~ 1 TTs(v)^ 1 = u + v — u — V = 0, 

which means that [a(u), s(v)] G A. In particular, this means that we can move commutators to the front. 

Hence, we can simplify s Xl ■ ■ ■ sf^sf 1 ■ ■ ■ sl^ 1 s^ m ~ Vm ■ ■ ■ Si X1 ~ yi by introducing commutators to move 
each factor of Sj Xj in front of each remaining factor of s Vi . In the example above, we saw that there was no 
moving required for i = m, while i = m — 1 only need to move past j = m. In general, will need to swap 
each pair of this form with i < j. Each such swap introduces a commutator, but since these are all in A, we 
can immediately move them to the front and continue swapping these factors and canceling the matching 
factors until nothing remains. 
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Finally, note that a swap of sf* and X] can be thought of as a number of swaps between Sj's and sj 1 ^. 
Since each of the yi copies of the first must move past each of the Xj copies of the second, we see that 
there are yiXj swaps overall. Thus, we can write the commutator as [s^, sj ] ViX i , giving us the form in the 
statement of the lemma. □ 

The following is the main result needed for our algorithm. 

Lemma 3.10. Let /, /' G Zjr(G,A). Write these in the form of the previous lemma with {o^}, {Pij} for f 
and {a-} and for f . Then f — f G B 2 T (G,A) iff fa j = fa tj for all 1 < i < j < m and (ai) _1 Q!- has 

a di-th root in A. 

Proof. We begin with the reverse direction. Let ai G A be a di-th root of (a^ 1 ^. Recall that a, = sf 1 . 
Replacing Si with s^cti gives another valid set of representatives and, hence, an extension equivalent to /'. 
Defining /" using this set of representatives gives an a" = s^af' — a^aA^ 1 a[ — a^. Since / and /' agree 
on the faj's and including extra factors from A does not change the fa^s (since A is central and /3y is 
a commutator), we see that /" and /' agree on both the a^s and Aj's, so /" = /'. Next, since / and 
/" arise by choosing different representatives for the same extension, we know that / — /" G B 2 (G,A). 
However, since /, /" G Zjr(G,A), we have f — f" G Bj?(G,A) by Lemma 13.71 Thus, we can see that 

/-/' = (/-/") + (/"-/')=/-/" eB%(G,A). 

For the forward direction, we will separately prove the two implications, that / — /' G Bj?(G,A) implies 
the condition on the faj's and that it implies the condition on the aj's. 

For the condition on the fa,j's, we will prove the contrapositive. First, suppose that faj =fi • for some 
i < j. From the formula in Lemma T3.8[ we can see that h(ei,ej) = for any h G Bjr(G,A). On the other 
hand, from the formula in Lemma [3T9l we see that f{e%, ej) = faj ^ P[ j = f'(ei, ej)- Since every coboundary 
is on this pair, we conclude that / — /' ^ B^(G, A). 

Now, we prove the condition on the ct;'s. Suppose that h = f — f G B^(G, A). From the formula 
in Lemma [3.81 writing the constants for h as a", we can see that h(ei, (di — l)e 2 ) = a" = af l . From the 
formula in Lemma 1531 we see that f(ei, (di — l)e,) = at and /'(e^, (di — l)ej) = a[. Taking /' — / = h at 
the pair (e^, (di — l)e 2 ) and writing with multiplicative notation, we see that a'^ai)^ 1 = a" = af'. Since 
(ai)^ 1 ^ — a'^aA^ 1 (both are in ^4), we see that the dj-th root exists. 

Thus, we have seen that, if the condition on the faj's and a^s does not hold (so either the faj condition 
does not hold or the a, condition does not hold), it is impossible to have / — /' G Bjr(G, A). □ 

We now have the necessary tools required to prove the theorem in this case. 

Proof of Theorem \3.3[ Assuming that we can compute a factor set in Z^(G, A) for each extension, we only 
need to compute the a^'s and ftj's from Lemma l3.10l for each factor set and check whether they satisfy the 
conditions of the last lemma. 

We saw in the proof of the lemma that these constants can be found simply by evaluating the factor set 
at particular points. There are only 0(m 2 ) = 0(log 2 \G\) constants to compute. Given the simple form of 
each / G Z^-(G,A), it is clear that we can perform these evaluations efficiently. Thus, we can efficiently 
determine the c^'s and /?ij 's. 

For the /?ij 's, the conditions of Lemma 13.101 require us simply to check equality, which we can do for 
each (i,j) with one call to the oracle for A. For the Qfj's, on the other hand, we need to determine whether 
the quotient of two o^'s is a di-th root. 

Recalling that A is an abelian group, we can switch back to additive notation. Our goal is to determine 
whether there exists an a G A such that dia = a[ — ai . Since A is isomorphic to a product Z ni x • • • x Z„ fc , this 
splits into k independent equations. For each 1 < j ' < k, we want to find an a,j such that diOj = (a[ — aAj 
(mod rifc) or, equivalently, if there exist aj and bj such that ajdi + bjUk = (a[ — uAj. Let d be the greatest 
common denominator of di and n&. We can solve this equation iff d divides (a^ — cti)j. 
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Thus, for the aj's, the conditions of Lemma l3.10l require us to compute the a^'s, split them into the parts 
of the direct product, and then check whether the difference in each component is divisible by the greatest 
common denominator of di and n.&. We get di by decomposing G into a direct product of cyclic groups 
using the algorithm of [5J. We apply the same algorithm to A to find rik and the (-)j components of a! i — 014 
needed above0 simply need to check divisibility for 0(log |G|)-bit numbers, which we can do efficiently on 
a classical computer. Since the quantum algorithm of [6J is efficient, we have seen that there is an efficient 
quantum algorithm for testing whether the difference of two factor sets is a coboundary. 

It remains to describe how to compute each factor set or, more specifically, the representatives s±, . . . , s m 
for each of the direct factors (since we can efficiently evaluate a factor set given these numbers). As in our 
earlier quantum algorithm, we can produce nearly uniformly random elements from E and then apply the 
oracle to find the corresponding elements of G. This process gives us nearly uniformly random elements of 
G. As we have seen before, we need only 0(log \G\) random elements to get a set that generates all of G. 
The key fact is that we have not only a generating set for G but rather a generating set for G with each 
generator coming from an element in E. 

Since these generate G, we know that, for each i g [to], there exists a product that gives G G. The 
corresponding product of elements of E is thus a representative of e^. To find this product, we apply the 
algorithm of [6j to express G as a direct product of cyclic groups and get the relations for converting from the 
generators we have to the standard generators for the direct factors. These relations come in the form of an 
0(log \G\) x 0(log \G\) matrix. For each i g [to], one column of this matrix gives the relation for generating 
ei as a product of powers of 0(log |G|) of our random elements. Since we can compute powers efficiently and 
this matrix is small, we can efficiently compute this product to get e^. More importantly, we can compute 
the product of the elements of E corresponding to these generators to produce a representative of . This 
is a valid choice for Si. 

In summary, we find a set of representatives {si} for each extension that allows us to efficiently compute 
a factor set in Z^-(G,A). Then, we can check whether their difference lies in B^r(G 1 A) by computing the 
ai's and ftj's for each extension and checking the conditions of the lemma. As we saw above, both of these 
steps can be performed efficiently on a quantum computer. □ 

3.5 Algorithms for Non-Central Extensions 

It is not hard to extend our algorithms to general extensions, i.e., without the assumption that A is central 
in Ei and E 2 - 

The core fact needed by both algorithms is the correspondence between equivalence classes of extensions 
and elements of H 2 (G,A) given in Lemma \2.1\ This relationship indeed holds for general extensions (i.e., 
under the assumption that A is abelian but not necessarily central). However, in the general setting, the 
definition of H 2 (G, A) is more complex. 

If E is an extension of G by A and t £ E is a representative of g S G, then it does not hold that t~ x at = a 
for all a £ A if A is not central. It is easy to check that i _1 at e A, however, and that any two representatives 
of g e G define the same action a H> a 1 = t _1 ai. In fact, this defines a homomorphism ip : G — > Aut A, as 
occurs in a semi-direct product. 

In the general case, extensions are identified not only by the groups G and A but also by ip : G — > Aut A. 
Two extensions of G by A with action ip are equivalent if there exists a structure preserving isomorphism, 
as before. Lemma HOI then holds using a definition of H 2 (G, A) that changes the formula for d to include <p. 

In our algorithms, the only change is that we must use the new formula when constructing a generating 
set for B 2 (G, A). This new formula is (df)(x, y) = f(x) y + f(y) — f{xy), where the action a v of G on A is 

16 The algorithm of [6] computes not only generators for the factors of the direct product but also formulas (the vectors y;) 
for converting from the original generators to the new ones. The map taking 1— > is invertible, so we can efficiently compute 
the reverse direction (from new generators to the original ones) as well. 
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given by ip. Since this action is just conjugation by a representative and we have a representative for each 
y £ G, it is clear that we can compute this formula just as well. Hence, we can efficiently test equivalence of 
non-central group extensions of G by A, in both models, with the same running times. 

3.6 Impossibility for Classical Algorithms in the Black Box Model 

In this subsection, we show that the problem solved by our quantum algorithm is classically hard under the 
assumption of the Goldwasscr-Micali cryptosystem that quadratic residuosity is classically hard. Our proof 
is a reduction from quadratic residuosity to testing equivalence of central extensions. Hence, this argues that 
the problem for black box groups is hard even for the simpler case of central extensions. 

Proof of Theorem \3.4\ The inputs to quadratic residuosity are a large number N and a y £ Z,* N , the group 
of multiplicative units modulo N. (We are also assured that the Jacobi symbol of y is +1, though that will 
play no part in the construction.) Both of these inputs are encoded in 0(log N) bits, so an algorithm is only 
efficient if it runs in 0(poly log N) time. 

The objective for this problem is to determine whether y has a square root in 1? N , that is, whether there 
exists an x £ 1? N such that y — x 2 (mod N). If such an x exists, y is called a "quadratic residue". Our 
reduction will construct two central extensions of Z2 by 7L* N that are equivalent iff y is a quadratic residue. 
Since Z2 is both small and abelian, this is a special case of both models we considered for quantum algorithms. 
Hence, this one reduction will show that both problems are as hard as quadratic residuosity. 

As mentioned above, we can create a group extension from any factor set / : Z2 x Z2 -> Z* N . If we know 
the values of this function, then we can perform multiplication by (x, a)(y,b) = (xyf(a,b),a + 6)0 It is 
well-known that we can perform group operations in 7L* N in 0(polylog N) time, and group operations in Z2 
take constant time, so this computation can be performed efficiently. Likewise, the inverse of (2, a), given by 
(.T _1 /(a, — a) -1 , —a), can also be computed efficiently. Finally, we can easily check for the identity element, 
which is (1,0). This shows that we can efficiently provide an oracle for these extensions, once we have chosen 
their factor sets. 

Each factor set provides only four outputs since |Za X Za| = 4. Furthermore, as noted in the definition, 
any factor set must also satisfy /(a, e) = /(e, b) — e for all a,b £ G. In this case, that means that 
f(0, 0) = /(0, 1) = /(1,0) = 1. Thus, each factor set is defined by the single value /(1,1). We will choose 
one extension to have /(l, 1) = 1 and the other to have /(l, 1) = y. Since y is provided in the input, it is 
clear that we can efficiently compute the value /(a, b) for either of these extensions. 

We should also note that, for an / so defined to be a 2-cocycle, it must satisfy the additional (odd-looking) 
condition provided in the definition. This condition ranges over three variables a,b,c £ G, and since \G\ = 2 
in this case, this provides 8 equations that must be satisfied. It is a simple matter to write these out for the 
two factor sets described above and verify that these always hold, regardless of the value of /(l, 1), so we 
have the freedom to choose /(l, 1) — y as above. 

In addition to the oracle just described, our extension equivalence test requires descriptions of the groups 
A, G, and E. For G — Z2, we can be compute a multiplication table in constant time (for the first quantum 
model) or we can easily construct an oracle that computes group operations in Z2 in constant time (for the 
second quantum model). For A = Z* N , we can produce a generating set (with high probability) by choosing 
0(log N) random elements. To do this, we simply choose random elements of Zjv and then check that they 
are in Z* N by computing the GCD with N. It is well-known that this can be done efficiently, and since there 
is only a o(l) chance that this test fails, we can produce a generating set in O(polylogiV) time. Finally, 
for the group E, we can again choose O(logiV) random elements (since \E\ — 2 \ A\), and since E as a set is 

17 Note that the group operation in Ztr, while abelian, is usually written as multiplication, while that of Z2 is written as 
addition. We will follow those conventions in this section. Note, however, that we used the opposite conventions for A and G 
in earlier sections. 
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simply Z* N x Z2 , we can choose a uniformly random element of E by choosing x G X* N and a 6 Z2 uniformly, 
then forming (a;, a). 

The last input we must provide for extension equivalence is the isomorphism Ei /"L* N = 1i . This is simply 
the function that maps (x, a) 1— > a. Obviously, this can be performed efficiently. 

Let Ei be the extension with factor set f\ having /i(l, 1) = y and E2 be the extension with f% having 
72(1, 1) = 1. Then we can see that fif^ 1 = f\. Thus, these extensions are equivalent iff there exists a cochain 
s : Z2 — » 7L* N such that ds = f. By construction, any s will ensure that <9s(0, 0) = 9s(0, 1) = ds(l,0) = 1 
(otherwise, they would not be valid factor sets), so we only need ds(l, 1) = /i(l, 1) = y. Let x — s(l)o 
Then <9s(l, 1) = s(l)s(l)s(l + = x ■ x ■ I- 1 = x 2 . Thus, we can see that the extensions are equivalent 
iff there exists an x € Z,* N such that x 2 = y, i.e., iff y is a quadratic residue. □ 

Note that this example shows that extending even a constant-sized group (in this case, |G| = 2) by a 
large group can introduce substantial difficulty. 

3.7 Counting Equivalence Classes of Extensions 

In this section, we show that it is possible to compute |ff 2 (G,A)|, the number of inequivalent extensions 
of G by A, using the machinery developed earlier for testing equivalence. The size |ff 2 (G,A)| is another 
quantity that is sometimes computed by hand for extensions of small groups and would be interesting to 
compute for larger groups. 

We start first with the quantum algorithm, which takes A as a black box group and G given by a 
multiplication tabic. 

Proof of Theorem \3.6[ Since H 2 (G, A) = Z 2 (G, A) / B 2 (G, A), we can compute the size of the former group 
from the sizes of the latter two. In fact, we computed \B 2 (G, A)\ as part of our quantum algorithm for 
testing equivalence, so we know how this can be done. 

To compute \Z 2 (G,A)\, we use the fact that Z 2 {G,A) = Ker<9 2 , where d 2 : C 2 (G,A) -> B 3 {G,A) is 
similar to the map d (— d 1 ) we used above. This map is a surjection, so the first isomorphism theorem tells 
us that B 3 {G,A) = C 2 (G,A)/Z 2 (G,A), which means that \Z 2 (G, A)\ = \C 2 (G,A)\ / \B 3 (G,A)\. From the 

definition, we have \C 2 (G,A) \ = |A| |G|2 . 

To compute \B 3 (G, A)\, we can use the same approach as for B 2 (G,A): we take a generating set for 
C 2 (G,A), which is simply \G\ 2 copies of the generating set for A and has size 0(|G| 2 log \A\); push this 
forward into B 3 (G, A) by applying the map d 2 , which has a simple formula; and then invoke the algorithm 
for computing the size of an abelian black box group. With \B 3 (G : A)\ in hand, we can compute \Z 2 {G 1 A)\ 
and then |iJ 2 (G, A)\ by arithmetic. All of these steps can be done in 0(poly |G| poly log \A\) time, so this 
gives an efficient algorithm. □ 

Finally, we have a classical algorithm when A and G are given by multiplication tables. 

Proof of Theorem \3.5\ We repeat the same approach as just described for the quantum algorithm of com- 
puting |B 2 (G, A)\ and |£? 3 (G,A)|. Now, our classical algorithm for testing equivalence did not compute 
|-B 2 (G, A)\ as part of its operation. However, we did show how to efficiently construct a permutation repre- 
sentation for B 2 (G, A) , and it is well-known that we can compute the size of a permutation group efficiently 
[TT] . so we can compute the size of this group classically as well. 

We can also efficiently construct a generating set for B 3 (G, A) , just as we did above, by taking a generating 
set for G 3 (G, A) (in the same manner as we did for G 2 (G, A) in the classical case) and pushing it forward 

18 Any (normalized) 1-cochain s must have s(0) = 1, so 1-cochains in this case are in 1-to-l correspondence with the element 
of 1* N by the mapping s 1— ► s(l). 
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using d 2 . We can compute the size of this group efficiently as well, using the algorithm mentioned above, 
and then perform the same arithmetic as above. □ 



4 Conclusion 

In this paper, we considered the problem of testing whether two extensions of a group G by an abelian group 
A are the same or "equivalent." If both \A\ and \G\ are small, then we showed that there exists an efficient 
(classical) Monte Carlo algorithm for testing equivalence. On the other hand, if \A\ is so large that A can 
only be provided as a black box and either \G\ is small or \G\ is large and abelian, then there is still an 
efficient quantum algorithm for testing equivalence, whereas no efficient classical algorithm exists, under the 
assumption that there is no efficient classical algorithm for testing quadratic residuosity. 

As mentioned in the introduction, one of the motivations for studying this problem is its relationship 
to the group isomorphism problem, an important open problem in computer science. Hence, it is worth 
considering what light these results shed on the group isomorphism problem. 

While the isomorphism problem applies to arbitrary groups, it is widely believed that the case of 2- 
nilpotent groups contains the essential hard cases. Any such groups are central extensions, and hence, we 
can apply our classical algorithm above to test their equivalence. If the two extensions are equivalent, then 
they are isomorphic. However, the opposite does not hold. 

We can conclude from this that, if it is the case that testing isomorphism of 2-nilpotent groups is hard, 
then the hardness must come from extensions that are isomorphic but inequivalent. Hence, it behooves us 
to understand further the computational complexity of distinguishing such extensions. 

Acknowledgements The author would like to thank Aram Harrow for many useful discussions, much 
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A Quantum Algorithm for Computing Group Size 

The quantum algorithm in subsection 13 .31 requires a subroutine that computes the size of a black box group. 
Earlier, we cited the algorithm and analysis of (6j[9] but skipped some of the finer details of how the theorems 
from those papers translate into a running time for this subroutine in our algorithm. In this section, we fill 
in those missing details. 

The algorithm of [6] is not explicitly for computing the size of the group. Rather, it is for decomposing 
the group into a direct product of cyclic groups. That is, it produces a set of generators, one for each of the 
direct factors. However, it is easy to compute the size of the group from this information. 

In particular, the size of the group is simply the product of the sizes of the direct factors, and since each 
of these is a cyclic group, the size of each direct factor is simply the order of the generator. Hence, we can 
get the size of the group from the output of this algorithm by invoking an order finding subroutine. 

Finding order is a special case of the algorithm for computing the period of a function, which is also 
described and analyzed in [9]. In our case, the function whose period we want to find is the map n i— > g n , 
where g e A is the generator whose order we are computing. Since the order of g is bounded by \A\, the 
method of repeated squaring allows us to compute this map with 0(log \A\) calls to the oracle for A. 

The quantum period finding algorithm makes only one call to the function just described, taking 0(log \A\) 
time. However, it must also perform 0(log 2 \ A\) post-processing, which dominates the running time. 

To compute the size of our group, we need to find the order of all 0(\G\ log \A\) generators, which we 
can see takes 0(|G| 2 log 3 \A\) time. This is adds only a lower order term to the overall running time. 
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That completes the discussion of our own post-processing to compute the size of the group. However, we 
will also need to perform some pre-processing. 

The algorithm described in [9] requires that all of the given generators have order that is p k for some 
fixed prime p. This is done in order to reduce the amount of quantum computation that is needed because 
separation into different p-groups can be done classically, as we will now describe. 

We start by finding the order of each generator. As noted above, this takes 0(|G| 2 log 3 \A\) time. Next, 
we factor the order using Shor's algorithm [12], which takes 0(log 3 \A\) time. Now, suppose that the order of 
g is r — p'l . . . p° k k . Then, if we let qg = Yli^u pI % j then we can see that the order of g qe is p J / . Furthermore, we 
know from the Chinese remainder theorem that any x G 7L r is uniquely determined by the values x mod p 1 / 
for each £. Hence, any power of g can be written uniquely as a product of powers of g qi , . . . , g qk . 

We now have a generating set for which we know the prime power order of each element. Thus, we can 
separately pass the generators for each p-subgroup (those whose order is a power of p) to the algorithm 
from [B]. The structure theorem for finite abelian groups tells us that our group is a direct product of the 
p-subgroups, so we can simply multiply their sizes to get the size of the whole group. 

We can see that this pre-processing adds only a lower order term to the running time of the algorithm. 
While our generating set for the whole group may have grown, each generator adds at most a single generator 
to the set for each p-subgroup, so the running time of the group decomposition algorithm that we analyzed 
before is unchanged. The one difference is that we may need to invoke that algorithm as many as log \ A\ 
times, so this adds a factor of log \A\ to our bound on the running time. 

Finally, we should note that the decomposition algorithm described in [9] also mentions 0(k 2 log q) clas- 
sical group multiplications (meaning multiplication in the group Zi^i). This is dominated by the 0(k 3 logg) 
part of the post-processing, which works in the same group, so it does not add to the overall running time. 
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